Some holders of the security industry's much vaunted Certified Information Systems Security Professional [CISSP] certification are worried their hard-earned credential will lose its cache with the introduction of another, similar sounding designation awarded to those guarding critical infrastructure networks. That certification, awarded by the Critical Infrastructure Institute, is known informally as the CCISP.
"I am strongly concerned that the acronym is too close to the CISSP," said J.P. Vossen, a CISSP and integration manager for Counterpane Internet Security. "Having been a CISSP since the late '90s, I can attest firsthand that many in the business world already have trouble keeping the acronym straight, and this new one is only going to make matters worse."
Those seeking the newer credential must meet minimum requirements, including being employed at least three years in critical infrastructure, Supervisory Control and Data Acquisition (SCADA) or other high-availability environments. Candidates also must pass a background check because of the sensitive nature of the class material and undergo cert renewals every two years through earning credits. The CISSP, by contrast, now requires four years in the field and examines candidates' knowledge on a wider breadth of subjects. It also requires members to undergo continuous education to maintain good standing.
In the past several years, a number of newer certifications have entered the arena, vying for practitioners seeking higher pay for proven security skills. The deluge has folks drowning in alphabet soup.
"IT as a profession suffers from an overabundance of acronyms that are both confusing and, in many cases, not unique," Vossen concluded. "While any profession will have jargon, we are guaranteed to have to interface with many outside that profession who depend on us. Infosecurity is perhaps even worse in both jargon and the price of failure, so we should be trying to make things better, not actively making them worse."
At the center of this condundrum is the Certified Critical Infrastructure Security Professional recognized by the Information Systems Security Association [ISSA] and tailored to specific environments. Issuers of the CCISP say that it's a completely different type of credential -- one aimed at the critical-infrastructure sector -- that actually complements the CISSP.
"We specialize in critical infrastructure protection, which typically entails oil and gas, utility and nuclear facilities," Clint Bodungen, president of the Critical Infrastructure Institute, said. "Our course curriculum specializes in CIP-specific systems and equipment, namely Supervisory Control and Data Acquisition [SCADA] -- an area that (ISC)2 does not focus on."
"The acronym is logical as it is a certification for professionals in its industry's namesake [CIP], and we recommend that all potential students obtain the CISSP prior to embarking on the much more industrial specialized CCISP since the CISSP provides a good security foundation," Bodungen added.
"I would be very surprised if (ISC)2 does not go after them for trademark infringement," said Marc Rogers, a CISSP and assistant professor of computer technology at Purdue University. "It's just too close to a CISSP."
According to Bodungen, the non-profit International Information Systems Security Certification Consortium, Inc., which maintains the CISSP, did issue a cease-and-desist order demanding disuse of the CCISP acronym, but it wasn't pursued beyond that. Meantime, Bodungen's company continues to market the cert.
(ISC)2 isn't explaining why it abandoned the effort. Sarah Bohne, director of communications and constituent services at (ISC)2, told SearchSecurity.com that the organization has a policy that prohibits employees from commenting on other security certifications and credentials.
Other CISSPs, however, spoke more freely.
"While the acronym is certainly similar, from a legal perspective it is different," said Ron Baklarz, a CISSP and the CISO of The American Red Cross. "I would agree that it will cause confusion, and it is unfortunate that it is so similar. I think the impact on the CISSP will be minimal since (ISC)2 itself began diluting the certification with the SSCP [Systems Security Certified Practitioner], not to mention others such as ISACA's CISM [Certified Information Security Manager]."
Stephen Cobb, a CISSP and security expert, sees the CCISP's inclusion differently. "It appears to be the case from my reading of its Web site, it has been created as a for-profit venture. One of the main things that sets the CISSP apart from other certifications is that it was created, and is managed, by a non-profit organization. Some vendor-based certifications, such as those of Cisco and Microsoft, have their place, but credible professional certifications need to be run by non-profit organizations;otherwise, it is almost impossible to avoid 'diploma-mill' accusations."
Baklarz added that the CCISP Web site doesn't provide detail such as the rigor of testing or a common body of knowledge. "The stellar reputations that (ISC)2, ISACA and ASIS took years to develop and earn. The CCISP appears be trendy and is certainly not battle-tested."